This is how a pen test keeps your business secure

  • The basis
  • Edited 18 July 2025
  • 3 min
  • Managing and growing
  • Secure business

A pen test, or ’penetration test’ checks whether your cybersecurity is good enough. During a test, a specialist will try to hack into your digital systems. They can then advise you about where the weaknesses are and how to fix them. Many companies, both large and small, work with sensitive data on their IT systems. Regular pen tests are then even more important.

Cyber Magazine SECURE IT!

Cyber magazine SECURE IT! contains tips and information on how to secure your business online.

Read it

The specialist you hire pretends to be a criminal and carries out a planned cyberattack. It is like asking an ex-burglar to enter your home or business premises. Can they enter easily through a window left open? Or is your alarm system not working as it should? You fix these vulnerabilities before a real burglar targets your home or business premises. A pen tester does the same with your company's digital systems.

How does a pen test work?

A pen test is always customised. You clearly agree with the tester, also known as an ethical hacker, what the purpose of the test is. And which systems the hacker is allowed to attack. For example, they attack your Wi-Fi network and try to steal customer information.

Inside information

You also determine what inside information the attacker has. In a “black box” pen test, the hacker knows nothing about your company. This is like a cybercriminal rattling your digital door for the first time. In a “grey box” pen test, you give the hacker access to part of your systems. So, you pretend a cybercriminal is already in your corporate network. And in a “white box” pen test, the pen tester gets all the information and access, such as passwords and details about the software you use. The task then is, for example, to extensively test the security of one of the software packages you use.

Consequences of a cyber attack

The pen tester looks for weak spots in your cybersecurity. And then penetrates your systems through those spots to steal customer data, for example. This shows you the possible consequences of a cyberattack, without damaging your business.

Fix weaknesses

Strengthen the weak spots the hacker discovers. Some things you can fix yourself, such as turning on two factor authentication, 2FA. With 2FA, logging into your accounts is a two-step process. This is safer, because in addition to your password, you need an extra code. You get this via SMS or an authenticator app, for example. For more complicated issues, ask your IT supplier or a cybersecurity specialist for help.

If you follow the pen tester's advice, a cybercriminal is less likely to gain entry to your network. And your money and data are better protected.

How much does a pen test cost?

The price of a pen test and how long it takes depend on what you are having tested. A small pen test costs around €1,000 and takes about a day. The pen tester will check your system for the weaknesses that are common. Is the test more extensive? Then the amount can reach thousands or 10’s of thousands of euros. Such an extensive test can take weeks. Usually, you can continue working on systems that are being tested.

Repeat regularly

The results of a pen test show you how your security is now. But cybercriminals do not sit still. They are constantly discovering and exploiting new vulnerabilities. Your IT systems also change. For instance, you replace a computer or install new software. So do a pen test regularly, for instance once a year. Especially if you work with sensitive data and IT systems.

Is a pen test dangerous?

A pen test can be dangerous. For example, during the test, a system may malfunction. So, you should discuss with the ethical hacker in advance what risks you do or do not want to take. You also want to be sure that the pen tester themselves is reliable. And will not abuse weaknesses in your systems or your sensitive data.

Approved pen testers

Only have pen tests carried out by registered security companies. These companies are, for example. members of the sector association Cyberveilig Nederland (Cybersecure Netherlands, in Dutch). Since 1 April 2021, there has been a national seal of approval for pen testing. Check the Centre for Crime Prevention and Security’s overview (in Dutch) for approved pen testers with such a seal of approval.

Disclaimer

Before starting a pen test, you and the pen tester draw up a disclaimer, also known as a liability waiver or indemnity agreement (vrijwaringsverklaring in Dutch). With this disclaimer, you consent to a digital attack, among other things. It also states that the pen tester is not responsible for the consequences of the pen test. For example, damage to your IT systems. A pen test disclaimer is customised, just like the pen test itself. A registered security company will have experience in this. You can also ask an ICT lawyer to look at the agreement with you.

Also of interest